From security-alert@NETBSD.ORG Thu Jul 2 00:12:41 1998 From: security-alert@NETBSD.ORG To: BUGTRAQ@NETSPACE.ORG Date: Sat, 27 Jun 1998 20:37:31 +1000 Subject: NetBSD Security Advisory 1998-004: at(1) vulnerabilities. -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 1998-004 --------------------------------- Topic: Problem with at(1) allows any file to be read. Version: NetBSD 1.3.2 and earlier. Fixed in NetBSD-current 19980626. Severity: Local user may be able to read any file. Abstract - -------- Due to a bug in the at(1) program, any local user can queue any file on the system for execution by /bin/sh, readable by root. As at(1) returns errors to the submitter, it is possibly that they may obtain parts of the file. Technical Details - ----------------- The at(1) sources use seteuid(2) to user ID swap between the user and root. at(1) incorrectly was setting it's cached real and effective user ID to 0 before opening a filename passed via the -f flag, allowing any file readable by root to be read as commands to be executed. For example, if at(1) was called like this: % at -f /etc/master.passwd now + 1 minute portions of /etc/master.passwd may be mailed back to the user. In this example, the security of the passwords in /etc/master.passwd was compromised. Solutions and Workarounds - ------------------------- The patch listed below changes at(1) to not change the cached real and effective user ID values, but instead, switching to root as necessary. By removing the `REDUCE_PRIV' call, and calling `PRIV_START' and `PRIV_END' around the final fchmod(2), security is obtained. If the patch can not be applied, the following command should be run as root, to remove the set-user-ID flag from the at(1) binary: # chmod u-s /usr/bin/at Note that this will disable at(1) for normal users. The patch has been made available for NetBSD 1.3, 1.3.1 and 1.3.2, and can be found on the NetBSD FTP server: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980626-at Thanks To - --------- The NetBSD Project would like to thank Wolfgang Rupprecht for providing information about this problem, and matthew green for providing a solution. More Information - ---------------- Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 1998, The NetBSD Foundation, Inc. All Rights Reserved. -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBNZTIYT5Ru2/4N2IFAQEJvAP7B+6NGxodePtt+/WrOzE/e4hu1PCLS1Le DXvwLpvfwiaB3zOhIgGcVr1EzgX3O0mmQqy8eWaYjEP41+p1HfRZf7idTXmmqpQY pkYAeWc5FwZ59mHy4/bYibPNUKTxBY/QMSmhtbI4hKg81Xm5sCQe800h58cDju0s P3qy30MwaUw= =B19v -----END PGP SIGNATURE-----